You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ken Nishimura <ke...@agilent.com> on 2013/03/28 22:33:10 UTC
[users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
Hi -
I've searched the archives and it looks like this was discussed back in
2010 with a "WONTFIX". I just wanted to make sure this is still the case.
Basically, using the mod_auth_ldap module, apart from using SSL (and
associated overhead), is it still the case that there is no way to
encrypt just the passing of username and password from the client
(browser) back to the server?
As others have pointed out, SSL is a fallback, but with associated
overhead. Has this been fixed in later versions of Apache?
Thanks,
Ken
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication
with encrypted passwords)
Posted by Noel Butler <no...@ausics.net>.
On Sat, 2013-03-30 at 13:51 -0400, Stormy wrote:
> At 12:05 PM 3/30/2013 +1000, Noel Butler wrote:
>
> > Sounds like a package manager problem to me
>
>
> I'm not sure of that, but I'm not a php expert :( Just been doing
> some testing on the sandbox (dpkg --force-all, not apt), and it comes
> back to php lack of thread safety. Blowfish encryptation doesn't
> function without full php and
>
> libapache2-mod-php5, and if I leave
Uhg, yeah, but this is because the way your operating system distro
vendor has packaged these softwares.
libapache2-mod-php5 is not an official package name
Try getting httpd and php sources and build them, its why I wont touch
things like that from certain distros, too much butchering goes on. php
has a helpful mailing list for php related questions, but AFAIK, php is
thread safe, but not all modules might be, again, a question for them as
its not httpd related.
> th
>
> ose in place and go back to mpm-worker (faster, less overhead for my
> server usage) I seem to be in trouble with env vars (setlocale.php).
> Not sure if I can run FastCGI and remove mod-php? I've read that this
> would restore thread safety by
>
> taking php outside Apache (2.2.22 on U 12.04 LTS)
>
>
> By the way, is there a "quick" way of swapping between worker and
> prefork without re-compiling? That would make my testing a whole lot
> easier.
>
httpd -l and look to see whats there
I am using only 2.4 now, event (similar, but advanced to, worker) is now
the default MPM, if you want prefork compile with --with-mpm=prefork
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication
with encrypted passwords)
Posted by Stormy <st...@stormy.ca>.
At 12:05 PM 3/30/2013 +1000, Noel Butler wrote:
>Sounds like a package manager problem to me
I'm not sure of that, but I'm not a php expert :( Just been doing some
testing on the sandbox (dpkg --force-all, not apt), and it comes back to
php lack of thread safety. Blowfish encryptation doesn't function without
full php and libapache2-mod-php5, and if I leave those in place and go back
to mpm-worker (faster, less overhead for my server usage) I seem to be in
trouble with env vars (setlocale.php). Not sure if I can run FastCGI and
remove mod-php? I've read that this would restore thread safety by taking
php outside Apache (2.2.22 on U 12.04 LTS)
By the way, is there a "quick" way of swapping between worker and prefork
without re-compiling? That would make my testing a whole lot easier.
Thanks a million - Paul
>On Fri, 2013-03-29 at 19:30 -0400, Stormy wrote:
>>
>>
>>At 07:11 PM 3/28/2013 -0400, Eric Covener wrote:
>>[snip]
>> >mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have
>> >any provision to encrypt the password separately from the rest of the
>> >connection.
>> >
>> >mod_authnz_ldap doesn't work with Digest authentication -- I don't think
>> >it can.
>>
>>(Slight tangent to this thread) does anyone know of an equivalent to
>>php-crypt-blowfish that works with Apache2 compiled as worker? it seems to
>>want to:
>>
>>The following packages will be REMOVED:
>> apache2-mpm-worker
>>The following NEW packages will be installed:
>> apache2-mpm-prefork libapache2-mod-php5 php-crypt-blowfish php5
>>
>>I'm not stuck on php and might prefer Perl or PEAR, whatever.
>>
>>Thanks - Paul
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail:
>><ma...@httpd.apache.org>users-unsubscribe@httpd.apache.org
>>For additional commands, e-mail:
>><ma...@httpd.apache.org>users-help@httpd.apache.org
>>
>
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication
with encrypted passwords)
Posted by Noel Butler <no...@ausics.net>.
Sounds like a package manager problem to me
On Fri, 2013-03-29 at 19:30 -0400, Stormy wrote:
> At 07:11 PM 3/28/2013 -0400, Eric Covener wrote:
> [snip]
> >mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have
> >any provision to encrypt the password separately from the rest of the
> >connection.
> >
> >mod_authnz_ldap doesn't work with Digest authentication -- I don't think
> >it can.
>
> (Slight tangent to this thread) does anyone know of an equivalent to
> php-crypt-blowfish that works with Apache2 compiled as worker? it seems to
> want to:
>
> The following packages will be REMOVED:
> apache2-mpm-worker
> The following NEW packages will be installed:
> apache2-mpm-prefork libapache2-mod-php5 php-crypt-blowfish php5
>
> I'm not stuck on php and might prefer Perl or PEAR, whatever.
>
> Thanks - Paul
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication
with encrypted passwords)
Posted by Stormy <st...@stormy.ca>.
At 07:11 PM 3/28/2013 -0400, Eric Covener wrote:
[snip]
>mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have
>any provision to encrypt the password separately from the rest of the
>connection.
>
>mod_authnz_ldap doesn't work with Digest authentication -- I don't think
>it can.
(Slight tangent to this thread) does anyone know of an equivalent to
php-crypt-blowfish that works with Apache2 compiled as worker? it seems to
want to:
The following packages will be REMOVED:
apache2-mpm-worker
The following NEW packages will be installed:
apache2-mpm-prefork libapache2-mod-php5 php-crypt-blowfish php5
I'm not stuck on php and might prefer Perl or PEAR, whatever.
Thanks - Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with
encrypted passwords)
Posted by Ken Nishimura <ke...@agilent.com>.
Eric -
I'm not exactly sure what your last question means. However, I think
you answered my question. In short, the situation has not changed. If
we want to ensure that the password is passed from the client (browser)
to the server securely (to be further passed on to the LDAP server), we
have to use SSL (https). The path from the http server to the LDAP
server is secure using SSL (ldaps), but from the client to the server is
unencrypted unless the entire thing is SSL'ed.
I'm pretty new at this, but it appears that the act of popping up a
dialog box asking for username/password cannot be encrypted separately
from the http connection.
Thanks,
Ken
On 03/28/2013 04:11 PM, Eric Covener wrote:
> On Thu, Mar 28, 2013 at 5:33 PM, Ken Nishimura
> <ke...@agilent.com> wrote:
>> Basically, using the mod_auth_ldap module, apart from using SSL (and
>> associated overhead), is it still the case that there is no way to encrypt
>> just the passing of username and password from the client (browser) back to
>> the server?
>>
>> As others have pointed out, SSL is a fallback, but with associated overhead.
>> Has this been fixed in later versions of Apache?
> mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have
> any provision to encrypt the password separately from the rest of the
> connection.
>
> mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can.
>
> What does your client support that would need a "fixed" mod_authnz_ldap?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with
encrypted passwords)
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 28, 2013 at 5:33 PM, Ken Nishimura
<ke...@agilent.com> wrote:
> Basically, using the mod_auth_ldap module, apart from using SSL (and
> associated overhead), is it still the case that there is no way to encrypt
> just the passing of username and password from the client (browser) back to
> the server?
>
> As others have pointed out, SSL is a fallback, but with associated overhead.
> Has this been fixed in later versions of Apache?
mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have
any provision to encrypt the password separately from the rest of the
connection.
mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can.
What does your client support that would need a "fixed" mod_authnz_ldap?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org